Recommended action
Block this updateStatic evidence trips multiple high-signal indicators. Quarantine the release until the publisher validates the change or you can rule out the indicators below.
Block this release in CIcurl · GitHub Actions
Fail the build when this package version is added or upgraded. Replace $PKGRADAR_TOKEN with a Pro / Team API key from your dashboard.
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer $PKGRADAR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"specs":["@rovela-ai/[email protected]"],"fail_on":"high"}'GitHub Actions step:
- name: PkgRadar gate
run: |
curl -fsS https://pkgradar.com/gate/npm \
-H "Authorization: Bearer ${{ secrets.PKGRADAR_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{"specs":["@rovela-ai/[email protected]"],"fail_on":"high"}'Why flagged
What the scanner saw
Remote Payload: matched "cUrl "
Not observed: package install, lifecycle script execution, or sandbox execution. PkgRadar only inspects on-disk artifacts.
Availability ledger
available
Status history (1 event)
- new → available · risk high · score 66 · status changed
Related candidates
Linked campaigns and clusters
egbennis
3 members · evidence strength 67Evidence
Static findings
16 static · 0 from release diff · showing high-signal first.
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/media/config.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/media/server/presign.js | matched "cUrl\n " | 12 |
Show all 16 findings (low-signal and informational)
| Severity | Kind | Path | Detail | Points |
|---|---|---|---|---|
| medium | Remote Payload | package/dist/media/config.js | matched "cUrl " | 12 |
| medium | Remote Payload | package/dist/media/server/presign.js | matched "cUrl\n " | 12 |
| low | Obfuscation | package/dist/admin/components/AdminAcceptInviteForm.js | matched "\\u2192" | 3 |
| low | Obfuscation | package/dist/admin/components/AdminBarBanner.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/admin/components/AdminForgotPasswordForm.js | matched "\\u2190" | 3 |
| low | Obfuscation | package/dist/admin/components/AdminResetPasswordForm.js | matched "\\u2190" | 3 |
| low | Obfuscation | package/dist/core/cookie-consent/CookieBanner.js | matched "\\u00D7" | 3 |
| low | Obfuscation | package/dist/analytics/views/DashboardsView.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/admin/components/PermissionsMatrix.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/admin/components/PrimaryMetricsRow.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/admin/components/ProductTable.js | matched "\\u2014" | 3 |
| low | Obfuscation | package/dist/admin/components/SecondaryMetricsRow.js | matched "\\u00B7" | 3 |
| low | Obfuscation | package/dist/admin/components/SetupGuide.js | matched "\\u00B7" | 3 |
| low | Obfuscation | package/dist/admin/components/ShippingSettings.js | matched "\\u00D7" | 3 |
| low | Obfuscation | package/dist/admin/components/TaxSettings.js | matched "\\u00D7" | 3 |
| low | Obfuscation | package/dist/admin/components/UsersTable.js | matched "\\u2014" | 3 |
Manifest
Package metadata
Scripts7
buildtsc && cp -r src/admin/styles dist/admin/cleanrm -rf dist tsconfig.tsbuildinfodb:generatedrizzle-kit generatedb:migratedrizzle-kit migratedb:pushdrizzle-kit pushdb:studiodrizzle-kit studiodevtsc --watch
Dependencies14
@aws-sdk/client-s33.978.0@aws-sdk/s3-request-presigner3.978.0@neondatabase/serverless1.0.2bcryptjs3.0.3clsx2.1.1drizzle-orm0.44.7lucide-react0.555.0nanoid5.1.6next-auth4.24.13recharts3.7.0resend6.9.1stripe20.3.0tailwind-merge3.4.0zustand5.0.10